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Di. THE CLAIM S 

Amended claixns follow: 

1 . (Currently Amended) A computerized method comprising: 
detemiining an active networked application; 

filtering a set of intrusion rules to create a subset of intrusion r ules corresponding 
to the active networked applicatio n, where the subset of the intrusion rules cotresponding 
to the active networked application are capable of being used for evaluating intrusions 
that target the corresponding active networked application : and 

evaluating network traffic using the subset of intrusion r ules; 

wherein the subset of the intrusion rules corresponding to the active networked 
application are used for the evaluation for reducing a leQuired amount of processing 
resources . 

2. (Original) The computerized method of claim 1 further comprising: 
detecting when the active networked application becomes inactive; and 
le-fUtering ihe set of intrusion rules. 

3. (Original) The computerized method of claim 2, wherein the detecting comprises: 
monitoring network cotmection tenmnations. 

4. (Original) The computerized method of claim 2, wherein the detecdng comprises: 
monitoring application terminations. 

5. (Original) The computerized method of claim 1 furdier comprising: 
detecting when no networked application is active; and 

suspending the evaluating of network traffic until a networked application is 

active. 
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6. (Original) The computerized method of claim 1, wherein the subset of rules 
fur&er corresponds to an operating system and furUaer comprising: 

continuing the evahiating of network trafBc if no networked application is active. 

7. (Originai) The computerized method of claim 1 , wherein the determining 
comprises: 

detecting when a network connection for an active application is initiated. 

8- (Original) The computerized metfiod of claim 1, wherein the filteriiig comprises: 
marking an intrusion rule corresponding to the active networked application, 

9. (Original) The computerized method of claim 1, wherein the filtering comprises: 
eKtractmg the subset of rules into an optimized set of rules^ 

10. (Original) The computerized method of claim 1, wherein the evaluating 
comprises: 

analyzing network traffic on a port specified in the subset of rules, 

11. (Original) The computerized method ofclaiml, wherein the evaluating 
comprises: 

analyzing network traffic for a protocol specified in the subset of rales. 

12. (Original) Tlie computerized method of claim 1, wherein the evaluating 
comprises: 

discarding network traffic thai satisfies at least one of the subset of rules; and 
reporting an intrusion attempt. 

1 3 . (Original) The computerized method of claim 1 , wherein the set of intrusion rules 
comprises signatures of known attacks. 
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I4» (Original) The computerized method of claim 1, wherem the set of intrasion rules 
comprises heuristic rules. 

1 5. (Cuneatly Amended) A con^uter-readable medium having mecutable 
instructions to cause a computer to peifonn a me&od comprising: 

deterniining an active networked application; 

filtering a set of intrusion rules to create a subset of intrusion m les corresponding 
to the active networked applicatio n, where the subset of the intrusion rules corresponding 
to the active networked application arc capable of being used for evaluating intrusions 
that target the corresponding active networked application : and 

evaluating network traffic xising the subset of mtrusioiLr ules: 
wherein the subset of the intrusion rules conesponding to the active networked 
a pplication are used for the evaluation for reducing a required amount of processing 
resources . 

1 6. (Original) The computer-ieadable medium of claim 1 5, wheiein the mediod 
ftirdieF comprises: 

detecting when the active networked application becomes inactive; and 
re-filtering the set of intrusion rules. 

17. (Original) The computer-readable medium of claim 16, wherein the detecting 
comprises: 

monitoring network connection terminations. 

1 8. (Original) The computer-readable medium of claim 16, wherein the detecting 
comprises: 

monitoring application terminations. 

1 9. (Original) The computer-readable medium of claim 1 5, vdierein the method 
further comprises: 

detecting when no networked application is active; and 
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suspending the evaluating of network traffic until a network application is active. 

20. (Original) Tbo computer-readable medium of claim 15, \?s1ierein the subset of 
rules fimher corresponds to an operating system and the method further comprises: 

continuing the evaluating of network traffic if no networked application is active. 

2 1 . (Original) The computer-readable medium of claim 1 S, wherein the determining 
comprises: 

detecting when an active application initiates a network connection. 

22. (Original) The computer-readable medium of claim 1 5, wherein the filtering 
comprises: 

making an mtrusion rule corresponding to the active networked ^plication. 

23. (Original) The computer-readable medium of claim 1 5, wherem the filtermg 
comprises: 

extracting the subset of rules into an optimized set of rules. 

24. (Original) The computer-readable medium of claim 15, whareb the evaluating 
comprises: 

analyzing network traffic on a port specified in the subset of rules. 

25. (Original) The computer-readable medium of claim 1 5, \^erein the evaluating 
comprises: 

analyzing network traffic for a protocol specified in the subset of rules. 

26. (Original) The computer-readable medium of claim 1 5, wherein tiie evaluating 
comprises: 

discarding network traffic that satisfies at least one of the subset of rules; and 
reporting an intrusion attempt 
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27. (Origiiial) The a)mputer-readablemeditim of claim 1^ 
intrusion rules coDsprises signatures of known attadcs. 

28. (Original) The computer-readable medium of claim 15, wherein the set of 
intrusion rules comprises heuristic rules. 

29- (Currently Amended) A system comprising: 

a processor coupled to a memory through a bus; and 

an intrusion prevention process executed finom the memory by the processor to 
cause the processor to determine an active networked application, to filter a set of 
intrusion rules to create a subset of intrusion r ulcs corresponding to the active networked 
applicatio n, where the subset of the intrusion rales correspf ^ri^ittp; tn the active networked 
application are capable of being used for evaluating intrusions that target the 
coirespogding active networked apolication, and to evaluate network traffic using the 
subset of intrusion r ules: 

wfaeiein ihe subset of the intrusion rules corresponding to the a ctive netvyorked 
a pplication are used for the evaluation for reduq inpr a requ ired amount of processing 
resources , 

30. (Original) The system of claim 29, wherein the intrusion prevention process 
ftwrther causes the processor to detect when the active networked application becomes 
inactive, and to re-filter the set of intrusion rules. 

3 1 . (Original) The system of claim 30, wherein the intrusion prevention process 
further causes tiie processor to monitor network connection terminations in detecting 
when the active networked application becomes inactive. 

32. (Original) The system of claim 3 0, wherein the intrusion prevention process 
fiirther causes the processor to monitor application terminations in detecting when the 
active networked application becomes inactive. 
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33. (Qrigiiial) The system of claim 29, wherein the intrusion prevention process 
furttier causes the processor to detect when no netwoiked ^plication is active, and to 
stispend evalxiating network traffic until a network application is active. 

34. (Original) The system of claim 29, wherein the intrusion prevention process 
further causes the processor to further filter the intrusion rules based on an operating 
syst^ and to continue evaluating network traffic if no networked application is active. 

35. (Original) The system of claim 29, wherein the intrusion prevention process 
further causes the processor to detect ^en an active application initiates a network 
connection in determining an active networked application. 

36. (Original) The system of claim 29, wherein the mtrusion prevention process 
further causes the processor to mark an intrusion rule corresponding to the active 
networked application in filtering the set of intrusion rules. 

37. (Original) The syst^ of claim 29, wherein the intrusion prevention process 
further causes the processor to extract the subset of rules into an optimized set of rules m 
filtering the set of intrusion rules. 

38. (Original) The system of claim 29, wherein the iatrusion prevention process 
further causes the processor to analyze network traffic on a port specified in the subset of 
rules in evaluating the network traffic. 

39. (Original) The system of claim 29, wherein the intrusion prevention process 
further causes the processor to analyze network traffic for a protocol specified in the 
subset of rules in evaluating the network traffic. 

40. (Original) The system of claim 29, wherein the intrusion prevention process 
fitrthCT causes the processor to discard network traffic that satisfies at least one of the 
subset of rules, and to r^ort an intrusion attempt in evaluating the network traffic. 
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41 . (Origiiial) The system of daim 29, wherein the set of intrusion rules comprises 
signatures of known attadcs, 

42. (Original) The system of claim 29, wherein the set of intrusion rules comprises 
heuristic rules, 

43. (Currently Amended) An apparatus comprising; 

means for determining when an active application becomes an active networked 
application; 

means for filtering coupled to the means for determining to create a subset of 
mtrusion_r ules corresponding to the active networked application ftom a set of intrusion . 
rule s, where the subset of the intrusion rules correspond ing to the active networked 
a pplication are capable of being used for evaluating intrusions that target the 
corresponding active networked application: and 

means for evaluating coupled to the means for filtering to evaluate network traffic 
using the subset of u^nisigiLrulesi 

wherein the subset of Ifae intrusion niles conres pnTirliiip the active networked 
a pplication are used for the evaluation for reducing a required amount of p rocessing 
resources . 

44. (Origmal) The apparatus of claim 43, wherem the means for determiiung further 
detects when the active networked application becomes inactive and the means for 
filtering further re-filters the set of inlnision rules when the active networked application 
becomes inactive. 

45. (Original) The ^paratus of claim 43, vrficrcin tiie means for detemiining fiirflier 
detects when no networked application is active and the means for evaluating fiirther 
suspends the evaluation of network traffic until the means for detemiining detemiines a 
networked application is active. 
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46. (Original) The apparatus of claim 43^ wherein the means for filtering further 
filters the intrusion rules corresponding to an operating system and the means for 
evaluating continues the evaluation of network traffic when the means for determining 
deteimines no networked ^plication is active. 

47. (Original) The apparatus of claim 43, wherein the means for evaluating 
comprises: 

means for discarding xietwork trafSc that satisfies at least one of the subset of 
rules; and 

means for reporting an intrusion attempt 

48. (New) The computerized method of claim 1 , wherein the intrusion rules include 
information selected from the group consisting of a targeted active networked 
applicatioa, a specific hostile payload^ a network port, and a protocol 

49. (New) The computerized method of claim 1, wherein the indusion rules include 
an attack signature. 

50. (New) The computerized method of claim 1 , wherein at least one of the intrusion 
rules is a heuristic rule< 

5 1 . (New) The computerized method of clahn 50, wherein the heuristic rule includes 
mformation associated with an active networked application making a new connection 
never previously made. 
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